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QUP-G-827 

23 J «V 1380 



MEMORANDUM FOR: 

Chief 

25X1 A 

FROM: 



SUBJECT: 

Draft 


Chief, Information Systems, Security Group# OS 

t r.taff, OOP 

equireaaent.s for Automated 
.esne Located in Overseas 
Installations (U) 



1. Office of >ate i recessing i^rsemiel have reviewed 
the draft of security rogeirements for automated information 
systems located in overacts installations* Wa recognize the 
importance of prescribing policy in this area and we recommend 
that the following suggei lions be incorporated in the next 
revision* The last paragraph of this memorandum contains a 
summary of the recoramcr*. h tions. (U) 

2. The requirement for semiconductor volatile* memory 
{IV.D.l.b) may become cv< r -restrictive, e.g. , it might 
affect the use of bubble s.smories in the future, (S) 

3. One of the principal reasons for automating field 
stations is to make them rare efficient and to reduce the 
vulnerability of information especially if a station is over- 
run, Although the draft specifies that removable data storage 
media shall be used (IV.lni.c), the draft does not address how 
data should be stored on the media. Considering the possibility 
of large information banks in the field, stronger guidelines 
are needed as to what ami how much data should b© kept in 

the field and under whet conditions. {£) 


For instance, should the data stored on field media be 
encrypted? (S) 


If a cassette or a floppy disk were compromised, the 
problem of damage asnoswirnt is not addressed. Since there 
is no requirement for r. a u t&ining volume data set catalogs, 
the Agency would not know what data were lost. (S) I 
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Perhaps the r osaovali lit'/ of storage media ought not 
be an absolute requirement for overseas computers in - a s --much - a s 
technology appears to be moving in the direction of non- 
removability* If this restriction is removed, then procedures 
should be included to govern how non-removable media is to be 
handled (e.g., guarded, encrypted, destroyed, etc.). (S) 

4. The requirement in IV.D.2.4 for system software to 
handle all interrupts in a known and secure manner implies 
that only provably secure operating systems would be allowed. 
Such operating systems are being developed but are not 
available now. The draft, t oes not adtiress system software 
certification or waiver procedures. (U) 

5. Paragraph IV. P.5, a ..2 specifics that "only those 
terminals designated for tea. security classification access 
level being processed shall l e logically connected... 5 * The 
draft could easily specify that tormlitals not so designated 

be electrically disconnect* by means of a patch panel or other 
similar arrangement. The specification of ’‘logically” implies 
that the system software would control access and tills is an 
unnecessary spillage risk. (S) 

6. The requirement for each data file to be controlled 

by a file password and indicators to inscribe to the system the 
type of access authorized (TV . 0 . 5.b. 1) is unrealistic for the 
class of machine planned f xr the field, since each dataset 
must reside on removable ra.adia arid each storage disk, tape, 
etc, , is to be marked, why rot specify that only those media 
marked at the appropriate level be installed on the system. 

Or, why not require* that a /.item access he authenticated 'by 
password and that there be u-ohanisms rcstrictiirg file access 
to authorised users? (3) 

7» In the following paragraph (IV.D. 5 .b. Z) , access to 
the master data file is limited to fcha MSP System T3ichrity 
Officer t there should always be a backup for this function . 
Also, there is a need in aorta installations for backup of 
datasets that require autot.vtie linkage to the master data 
file. The password file should be protectee by encryption such 
that a system dump or systa « spiling & ’■fill not compromise uhis 
file. (£} 

8. We believe that password precaduros (IV.u.S.c) should 
apply to standalone word t recessing terminals since this class 
of terminals can read ami write the fcaiae data seta as other 
ADP systems, and up to ths same classification levels. (U) 
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9- If the requires-:. Til for file passwords is relax ad# 
then paragraph XV. 3.3.2 veuii have to be revised. (U) 

10. The requirement for audit trulls presented by para- 
graph IV. D. 6 may be bey< md i he capabilities of existing system 
software. (U) 

11. The section on :>.*.• a. Pn cessi ic (V.3) regarding 
abnormal data processing ayttesw operation should be rewritten 
to be more specific and niumld concca irace cm events that nave 
security implications. For instance# a reported spillage to 

a terminal or printer shou Xxi investigated and would be a 
valid reason to stop the sybteja. A caps or a disk head 

crash should not cause the ; yatera to ~y& stopped. (i>) 

12. The section cm £ y me m ainta- aaiJOfe/Hodif ication stay 
not recognise that the. i.tra: acy -loos a« 1 will probably continue 
to use contractor per sonr-e i for on-si nt ivaintenaace and 
field modification of aqu.L tent. (U) 


13. The certification « t 
modifications in section Vu.ii. 


people to be meaningful. Ur.ce 
supply# even in ADP coupon *: %t& . 
bottleneck in software api rcr s 


he ISS-l or*, the system software 
X.b re juire-s technically expert 
those experts arc in short 
this requirement could be a 
unit* s s it is treated as a 


paper exercise. (u) 


14. The key to e-norgu »:y procedures# as mentioned 
before# is in limiting the amount of lata stored in the 
field, not trying to aan.it c •:* • or destroy it .raring an 
emergency. The draft does >c>t upecif / that the procedures 
be exercised so that they i <' proven md field personnel are 
fully familiar with thou'. • suggest u requirement that the 
ADP Systems Security Of tier: b* responsible for Laying ADP 
personnel read the proconui- r. (u) 


15. Equipment procur xvont sterility is not addressed 
in the draft, ‘will than >. any policy or guidelines 
regarding equipment that is . .gency unique? (S) 

1 c> « Ir. summary, km- ■■ - . u* o ... .-.it*.* ncj 

r ecewanc mis ; ( S } 


Prescribe 

IHi. t:.o 

: y: storage of lata or. the- 

removable 

st or. a 

.a :u:J i-i . {Paragraph 3) 

Prescribe 

guiJ-f 

1 i x >n as to that and how much data 

should be* 

kept 

in Pie field and under what com- 

dltions. 

(Pm 

er i n 3} 
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0 , 


f . 


Consider encry : ; bit? data stoi e»i on media. (P^ra 

graph 2) 

Require volum. data .set catalogues Vs maintained. 
(Paragraph 3} 

Consider the use « i '.on-removable storage uj*dxn. 

3) 


g< 


i. 

j* 

k. 

l. 

ra. 


o, 


Describe systems t-« f tware certiiicauioa or waiver 
procedure s . ( 1? &r t • « i * ph 4 ) 

csecify that ui.ii sis not d asiynatec: tor the 


security elassii :ti iloi"*. access 

be al* 3 C trica 1 3 y - y a c o*ir>€fC ecu * ( i igr ayu u J 

Specify that only i ucie Mark -sc jx . t . uu appropriate 
level be installs* t on the systeu m xicu o~ re^ .* d 
file passwords «u* i indicator a. (Paragraph t>) 


Require, a bao .u 
igraph 7) 


’iDF System Security oit icer • 


Provide for baotu j j where ns eued * of o.aca s^-ts c-iut 
require automatic linkage to the master data file. 
(Paragraph 7 ) 

Protect the- ;as»oM file from system dumps or 
system spillaga. (Paragraph 7 ) 

Employ password .s>;fciurts i or standalone woru 
processing u&r~ .it nu (Puri.gr ..t - - ) 

Revise parngrae.. U.h.j.o ii fil pa-awrds arc not 
used. (Paragra V i) 

Revise the sectirr on syaten operation dbuormaliti^a 
to concentrate i security implies cxon». (Pa*.a^r«p.. -J 

Recognise that u* 4. tractor puraornai way _ be ©alloyed 
for on-site ~v,i .;.■ .« oance and fi'.J-i : toJi^.i'-ntio.i ti. 


equipment. ('• - r< 


< ra 


Review the method of certification of syatcaa 
software rAOV 1 v :. o. r. io.i. (Paragraph 13 ) 

Require e\vm.;«-.no r f roceeuru i L-a exercised. (Paragrapn 14 ) 

Include j-olicy - ; . qu-.pt cut r r.ear n-.c r.t sterility. 
Paragraph 13 ) 
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SUBJECT ; Draft Security S*-r=iiro»ent& for Autcuaatea 
Information Syst *-u3 Locates in Overseas 

Installations («} 


CC ; DD/A 

C/BD 

DD/P 

C/ED 

C/SPD 

SO/ODP 


Distribution: 

Original - Addressee 

1 - C/M5/ODP 
y- O/D/ODP 

2 - ODP Registry 

25X1A O/Q/ODP/^^^^Bcaj/4011 20 June 1980 
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